Category: adware

What is Save Keep?
Save Keep is an adware program, that displays extra pop-up ads and advertisements on web pages that you visit. These advertisements will be shown as boxes containing various coupons that are available, as underlined keywords, pop-up ads or advertising banners.

How to manually remove Save Keep?
Locate and erase the following browser extensions: savekeep, suave keepo, save keep. Have in mind that there might be many extensions with similar names. We recommend that you remove all suspicious browser extensions.

What is Yontoo?Yontoo is a web browser toolbar extension. It collects and stores information about your web browsing habits so they can suggest services or provide advertising. The program is typically bundled by 3rd party freeware applications as it is distributed through several monitization platforms.

What is JollyWallet?Jollywallet is a browser plug-in created by Radyoos Media Ltd. It promises to save users money whilst shopping online (by recouping a percentage of any money spent). This browser add-on is not technically a computer virus or related to malware infections, however, computer users have recently reported that Jollywallet was installed on their computers without their consent. Many also complain that they feel annoyed by pop-ups ads generated by this browser add-on and prefer to shop online without the imposition of these offers. Unwilling or inadvertent installations such as these may occur as a result of Jollywallet’s use of a deceptive marketing method called bundling. Commonly, Internet users inadvertently install browser extensions such as these together with free software downloaded from the Internet.

Some of the items can not be removed without the administrator access.

If you have Firefox installed, go to the following folder:

~/Library/Application Support/Firefox/Profiles/

Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Open that folder. Inside this folder, remove the following items:

abstraction.js
takeOverNewTab.txt
searchplugins/[any file with "Conduit" in the name].xml
searchplugins/MyBrand.xml

Finally, be aware that some variants of Conduit are known to modify the Firefox application itself. If you have Firefox installed, there is no easy remedy to this except to delete the Firefox application entirely and download it again from mozilla.org.

If you found the CT2285220.bundle SIMBL plugin earlier, you will probably want to remove SIMBL as well, unless you had it installed for a specific purpose. To remove SIMBL, move the following items to the trash:

What is Genieo?
Genieo (known also as InstallMac) is probably one of the most prevalent adware programs in recent years. It was introduced by a well-known Israeli company who distributed it on the web.

Genieo is a “content recommendation engine,” which is installed on a local system to allow custom searches and targeted advertising to be presented on a homepage, managed through a browser extension. In essence, it tracks what you do and guides your searches and activity to relevant commercial sites and deals.

Genieo Homepage

This is somewhat similar to home pages like Google, Bing, Yahoo, or Facebook that offer their own recommendations, offers, ads, and other details based on your internet activity; however, while these do so from you logging into an online account, Genieo does so from being installed on your computer.

The Genieo engine and installer are openly available at the Genieo Website, and while the intention behind Genieo may have started as a legitimate effort, the engine has been used in a number of ways and has a couple of behaviors associated with it that have been suspicious:

Genieo has been found in fake Flash Player installers and other disguised packages, which is a tell-tale sign of malicious distribution of the software.

Genieo has not been easy to remove. While the program comes with an uninstaller, using this has proven to be ineffective for clearing the system of installed files.

Genieo uses unconventional modifications to the operating system to tag its services onto existing applications.

One of the major problems that Genieo faces, is it promises developers a distribution and monetization platform through its sister effort called “InstallMac.” While intended to be somewhat like the Mac App Store in ways, any developer can package their software with InstallMac and get paid for each installation. Therefore, simply by downloading and installing a relatively unknown and un-vetted application, you could have installed the Genieo framework, plug-ins, and applications on your Mac.

1. On the Apple menu bar, in the top-right corner, click the Genieo icon and then select Quit.

2. From the dock, launch Finder.

3. In the top-right corner of the Finder window, in the search box / spotlight search, type launchd.conf and press return.

4. To modify the search criteria and look for Genieo files in system files, click the Add (+) icon.

5. From the toolbar that appears under Search: This Mac, click Kind and then from the drop-down menu, select Other.

6. In the Select a search attribute dialog box, scroll-down and check the box next to System files, and then click OK.

7. When the search criteria is set to System files, from the drop-down menu, select are included.

Search results are modified and system files with the keyword being searched is displayed.

8. Select launchd.conf from the search results, and move it to Trash.

If you cannot find "launchd.conf", do not delete ".dylib" files in Step 9. Follow the instructions carefully, deleting any inappropriate file can cause your computer to freeze and probably it may not restart.

What is Vidx?Created by a company called VidX Project Ltd., Vidx is a potentially unwanted application, which installs on browsers (Safari, Google Chrome, and Mozilla Firefox) together with free software downloaded from the Internet. Developers of this browser add-on claim that Vidx creates a noticeably superior digital video viewing experience. In fact, this add-on is categorized as a potentially unwanted application, since it installs on Internet browsers without users’ consent and generates intrusive ads.

(If you locate files with the same name in other folders remove them as well.)

Check the following folder too: /Library/LaunchDaemons/
In this folder look for files with nonsensical names (for instance, ‘IKoJCcOml.plist’) If you find any nonsensical files delete them immediately. Delete nothing else from this folder!

Vidx can also attach malicious JavaScript codes to your browser preferences (both Firefox and Chrome). The effect is not detrimental, but we still advise you to remove those particular files:

What is GoPhoto.it?
GoPhoto.It is a program and browser extension designed for viewing zoomable thumbnails as a high quality images for photoalbums and profiles on a Facebook, Flickr, and other websites. It offers sharing and applying various effects to these images. However, GoPhoto.It is packed with adware developed for displaying ads in your Chrome, Firefox, and Internet Explorer. Attractive features facilitate the installation, but GoPhoto.It is often deceptively installed with other free programs. Adware runs activities that can compromise your security and privacy. GoPhoto.It tracks your web browsing and collects various information about your computer system, location, and websites that you visit. This information is commonly shared among promoters and is eventually accessed by third parties that can use it with malicious purpose. As a result, your identity might be stolen and used for thieft and other illegal activities.

What is Spigot?
Spigot is a term used to describe potentially unwanted applications developed by Spigot Inc. Adware created by this company installs together with free software using a deceptive software marketing method called ‘bundling’. Commonly, computer users install such unwanted applications whilst downloading free software. Today, most freeware download websites (including download.com, soft32.com, softonic.com, etc.) use deceptive ‘download clients’, which manage the download process of free software – these small programs are also used to monetize the free downloads by offering installation of promoted browser plugins.

What is PremierOpinion?
PremierOpinion is a spyware infection with adware techniques and has root components that allow PremierOpinion to start up automatically whenever the victim tries to shut PremierOpinion down.

PremierOpinion is often contained in a fake screensaver for Mac OS X computer. Also, known as OpinionSpy, PremierOpinion can also be contained in various infected applications systems.

How to manually remove PremierOpinion?
Unfortunately, security companies have no full insight on all Premier Option’s malicious capacities. The older version was known to give creators a backdoor to access infected systems, a trick which is very likely present in the new version too.

The safest thing to do is to erase all data from the hard drive and to install OSX again. In the following paragraph, we will provide some directions for those who want to remove Premier Opinion without removing everything else.

Firstly, erase the browser extension caused by Premier Opinion. Locate all unknown extensions and place them in the trash. Also remove files/folders located at ;

What is VSearch?VSearch is a relatively popular adware program, met mostly under the cover of a video-streaming installers. Some of you may recognise it under the name of Downlite, a scam torrent-downloader which has not been present on the web recently. VSearch can be easily recognised-once you’re trying to open a particular page, it redirects you to another search engine, or it simply causes unrelated pop-up advertisement to appear on your screen. VSearch was a pioneer among adware apps to be identified as malicious by Apple. The program was blocked, but the threat remains.

How to remove VSearch?
The following things should be eliminated. Have in mind that for some of them you should have administrator access, so check whether you’re actually logged in through your Mac’s admin account. If you are not, it is very likely that you will be unable to delete some items. Further on, remember that we are only discussing the known VSearch items, which doesn’t encompass all of them. If you are not able to find a specific file using the path below, read something on locating files from paths.

As we mentioned, ‘xxx’ can stand for any word. What is important to remember is that the particular word in a system will repeat itself in all files on that system.Therefore, if you recognise the word in any of your files-delete them!

Additionally, check the LaunchAgent and LaunchDemons files and look for specific ‘xxx’ locations: